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IN THE CLAIMS; 

1 . (Currently amended) A computer-implemented m ethod in a data processing system for 
reporting security situations, comprising the computer-implemented s teps of: 

in a first correlation server in a hierarchy of correlation servers, l ogging events by storing 
event attributes as an event set, wherein each event set includes a source attribute, a target 
attribute and an event category attribute; 

classifying events as groups by aggregating events with at least one attribute within the 
event set as an identical value; 

calculating a respective severity level levels for each of t he groups; 

calculating adelta aovoritios severity for each group from the respective severity level 
and a respective prior severity level levels; and 

for each group having a non-zero_delta severity, propagating the respective delta 
seve?4fca severity t o a higher-level correlation server. 

2. (Currently amended) The computer-implemented m ethod of claim 1 > wherein the severity 
levels are calculated based on at least one of the number of event sets within each of the groups, 
the source attribute of the event sets within each of the groups, the target attribute of the event 
sets within each of the groups, and the event category attribute of the event sets within each of 
the groups, 

3. (Currently amended) Th e_computer-implcmented method of claim 1 „ wherein the events 
include at least one of a web server event, an electronic mail event, a Trojan horse, denial of 
service, a virus, a network event, an authentication failure, and an access violation. 

4. (Currently amended) The computer-implemented method of claim 1 , further comprising: 
calculating the threshold value based on at least one of the source attribute of the event 

sets within the group, the target attribute of the event sets within the group, the event category 
attribute in each event set of the group, and the number of attributes in each event set of the 
group that are held constant across all of the event sets in the group. 
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5. (Currently amended) The computer-implemented m ethod of claim l s wherein the target 
attribute represents one of a computer and a collection of computers. 

6. (Currently amended) The computer-implemented m ethod of claim 1 . wherein the source 
attribute represents one of a computer and a collection of computers. 

7. (Currently amended) The computer-implemented m ethod of claim 1 3 further comprising: 
aggregating a subset of the groups into a combined group. 

8-10, (Cancelled) 

1 1 . (Currently amended) A computer program product^ in - n - - comput e r r e adabl e medium for 
reporting s e curity e venta, comprising instructions for : 

a tecordabie-tvpe media having computer-readable instructions including 

first instructions, in a first correlation server in a hierarchy of correlation servers, for 
logging events by storing event attributes as an event set, wherein each event set includes a 
source attribute, a target attribute and an event category attribute; 

second instructions for classifying events as groups by aggregating events with at least 
one attribute within the event set as an identical value; 

third instructions for c alculating a severit y level l e vels for each of t he groups; 

fourth instructions for c alculating ajjelta se v e riti es severity for each group from the 
respective severity level and a prior severity level te vefe; and 

fifth instructions for p ropagatin g, for each group having a non-zero delta severity, t he 
delta severities severity t o a higher-level correlation server. 

1 2. (Original) The computer program product of claim 1 1 , wherein the severity levels are 
calculated based on at least one of the number of event sets within each of the groups, the source 
attribute of the event sets within each of the groups, the target attribute of the event sets within 
each of the groups, and the event category attribute of the event sets within each of the groups. 
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1 3. (Original) The computer program product of claim 1 1, wherein the events include at 
least one of a web server event, an electronic mail event, a Trojan horse, denial of service, a 
virus, a network event, an authentication failure, and an access violation. 

14. (Currently amended) The computer program product of claim 1 1 , oomprioing additional 
fflstructiong for wherein the computer-readable instructions further include : 

sixth instructions for c alculating the threshold value based on at least one of the source 
attribute of the event sets within the group, the target attribute of the event sets within the group, 
the event category attribute in each event set of the group, and the number of attributes in each 
event set of the group that are held constant across all of the event sets in the group. 

1 5. (Original) The computer program product of claim 1 1, wherein the target attribute 
represents one of a computer and a collection of computers. 

16. (Original) The computer program product of claim 1 1, wherein the source attribute 
represents one of a computer and a collection of computers. 

1 7. (Currently amended) The computer program product of claim 1 1 , comprising additional 
inotruotiono for wherein the computer-readable instructions further include : 

seventh instructions for aggregating a subset of the groups into a combined group. 

18-20. (Cancelled) 

21. (Currently amended) A data processing system for reporting security events, comprising: 
a first bus system; 
a first m emory: 

a firstprocessing uni t connected as a first correlation server in a hierarchy of correlation 

servers , wherein the first p rocessing unit includes at least one processor; and 
a firgt,$et of instructions within the first m emory. 

wherein the firstprocessing unit executes the first set of instructions to perform the acts 
of: 
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logging events by storing event attributes as an event set, wherein each event set 
includes a source attribute, a target attribute and an event category attribute; 

classifying events as groups by aggregating events with at least one attribute 
within the event set as an identical value; 

calculating a severit y level lovolo for each of the groups; 

calculating &delta se v e riti e s severity for each group from the respective s everity 
level and a prior severity level l evels: and 

for each pr oup having a non-zero delta severity, p ropagating the delta severities 
severity t o a higher-level correlation server. 

22. (Original) TTie data processing system of claim 21, wherein the severity levels are 
calculated based on at least one of the number of event sets within each of the groups, the source 
attribute of the event sets within each of the groups, the target attribute of the event sets within 
each of the groups, and the event category attribute of the event sets within each of the groups. 

23. (Original) The data processing system of claim 2L wherein the events include at least 
one of a web server event, an electronic mail event, a Trojan horse, denial of service, a virus, a 
network event, an authentication failure, and an access violation. 

24. (Original) The data processing system of claim 2 L wherein the processing unit executes 
the set of instructions to perform the act of: 

calculating the threshold value based on at least one of the source attribute of the event 
sets within the group, the target attribute of the event sets within the group, the event category 
attribute in each event set of the group, and the number of attributes in each event set of the 
group that are held constant across all of the event sets in the group. 

25. (Original) The data processing system of claim 21, wherein the target attribute represents 
one of a computer and a collection of computers. 

26. (Original) The data processing system of claim 21 , wherein the source attribute 
represents one of a computer and a collection of computers. 
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27. (Original) The data processing system of claim 21 , wherein the processing unit executes 
the set of instructions to perform the act of: 

aggregating a subset of the groups into a combined group. 

28-30. (Cancelled) 

3 1 . (New) The computer-implemented method of claim 1 , further comprising: 
receiving, in the higher-level correlation server, a plurality of delta packets from a 

plurality of lower-level correlation servers that include the first correlation server, wherein each 
delta packet contains the respective delta severity for each group of the respective lower-level 
correlation server that has a non-zero delta severity; 

performing a first mathematical operation on the plurality of delta packets to form a new 
delta packet; 

if the higher-level correlation server is the top level of the hierarchy of correlation 
servers, performing a second mathematical operation on the new delta packet and a stored 
severity packet to form a new severity packet; and 

if the higher-level correlation server is not the top level of the hierarchy of correlation 
servers, propagating the new delta packet to a higher-level correlation server. 

32. (New) The computer-implemented method of claim 3 1 , wherein the first mathematical 
operation and the second mathematical operation are each one of addition, arithmetic mean, and 
geometric mean. 

33. (New) The computer-implemented method of claim 3 1 ? further comprising presenting to 
an operator each group which has a respective severity value in the new severity packet that is 
greater than a respective threshold. 

34. (New) The computer program product of claim 1 l s further comprising instructions for: 
receiving, in the higher-level correlation server, a plurality of delta packets from a 

plurality of lower-level correlation servers that include the first correlation server, wherein each 
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delta packet contains the respective delta severity for each group of the respective lower-level 
correlation server that has a non-zero delta severity; 

performing a first mathematical operation on the plurality of delta packets to form a new 
delta packet; 

if the data processing system is the top level of the hierarchy of servers, performing a 
second mathematical operation on the new delta packet and a stored severity packet to form a 
new severity packet; and 

if the data processing system is not the top level of the hierarchy of servers, propagating 
the new delta packet to a higher-level correlation server. 

35. (New) The computer program product of claim 34, wherein the first mathematical 
operation and the second mathematical operation are each one of addition,, arithmetic mean, and 
geometric mean. 

36. (New) The computer program product of claim 34. further comprising presenting to an 
operator each group that has a respective severity value in the new severity packet that is greater 
than a respective threshold. 

37. (New) The data processing system of claim 2U further comprising: 
a second bus system; 

a second memory; 

a second set of instructions within the second memory; and 

a second processing unit connected as the higher-level correlation server; 

wherein the second processing unit executes the second set of instructions to perform the 

acts of: 

receiving, from the first correlation server and a third correlation server, a first 
delta packet and a second delta packet, wherein said first delta packet contains the 
respective delta severity for each group of the first correlation server that has a non-zero 
delta severity and the second delta packet contains a respective delta severity for each 
group of the third correlation server that has a non-zero delta severity; 
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performing a first mathematical operation on the first delta packet and the second 
delta packet to form a new delta packet; 

if the data processing system is the top level of a hierarchy of servers, performing 
a second mathematical operation on the new delta packet and a stored severity packet to 
form a new severity packet; and 

if the data processing system is not the top level of a hierarchy of servers, 
propagating the new delta packet to a higher-level correlation server. 

38. (New) The computer program product of claim 37, wherein the first mathematical 
operation and the second mathematical operation are each one of addition, arithmetic mean, and 
geometric mean. 

39. (New) The computer program product of claim 37, further comprising presenting to an 

operator each group which has a respective severity value in the new severity packet thai is 
greater than a respective threshold. 
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